Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN).
Networks can include a network appliance (NA), e.g., intrusion prevention system (IPS) and/or intrusion detection system (IDS) that serves to detect unwanted intrusions/activities to the computer network. Unwanted network intrusions/activities may take the form of attacks through computer viruses and/or hackers, among others, trying to access the network. To this end, a NA can identify different types of suspicious network traffic and network device usage that can not be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, among others. A NA can also include other forms of diagnostic devices, accounting devices, counting devices, etc., operable on network packets of interest.
In previous approaches, to identify suspicious network traffic or to properly account for the traffic, data traffic needed to pass through a point of the network where a NA is located. That is, network appliances used to be solely deployed as in-line devices, and recently have become a shared resource local to one network device, e.g., switch, router, etc. If the NA is not “in-line”, e.g., between one port and another in a network packet's intended path, then suspicious activity may not be detected, or the packets properly counted. For large network systems, placing a NA in-line with all possible network packet intended paths can be both expensive to implement and very complex to maintain.
In previous approaches, IP subnets and virtual local area networks (VLANs), as the same are known by one of ordinary skill in the art, were used to address the above issue. In this approach only data packet traffic crossing a layer 2, e.g., bridged, domain would be sent to the router, which may apply additional security, accounting, or diagnostic checks. However, in today's networks group membership is not always easily divided among subnets or VLANs.
Link aggregation control protocol (LACP) is a standard in IEEE 802.3ad which defines a method of aggregating links together to form a more redundant link with larger bandwidth. An aggregate link, also known as a “trunk”, is formed either manually or dynamically. A manual trunk comes into existence when a network administrator physically configures LACP on multiple network devices that are connected together with a set of links, e.g., physical (Layer 1) connections. A dynamic trunk can come into existence when an administrator has previously configured multiple network devices to support “dynamic” LACP, and when two or more links are connected between the switches.
When links are aggregated, the aggregated traffic is often more than a network appliance can handle. Additionally, when VLANs are being used, an aggregated link may have traffic that resides on multiple of these VLANs, and only a subset of these VLANs may be of interest to monitor.